Hacked websites: the low-down

Published on Wednesday, June 5th 2024

Many people think of website hackers as a computer expert sitting in a dark basement targeting specifically large companies for their evil gains. Small business owners often ask "who would they want to hack my website?" and believe they are safe, which is often far from the truth.

In this article I'll explain why people get their websites hacked, how they are hacked, who gets hacked, what can be done to stop it, and what to do if the worst happens to your website.

What do hackers want with a website?

Starting with the most obvious, I'm sure everyone knows why a hacker would want access to a bank's website. It is likely also apparent why they would want access to large websites with databases of usernames, (hashed) passwords and personal details, or those with data storage or ones that accept forms of ID. In this article we are omitting these as they aren't as common for the everyday business owner, however, if you have sensitive data that needs securing, then we can help, so feel free to get in touch.

This article will focus on 'normal' websites; ones that perhaps have regular publicly accessible pages and do not contain anything of perceived value to hackers.

The point to consider here is that each of these websites individually is not that valuable to a hacker, but a lot of them, collectively, are.

If a hacker was able to hack one website, or ten, or maybe a hundred, it won't necessarily do a lot. But if they can hack thousands, or millions, then they are useful.

A common use of a hacked website is where the contents look the same to human users, but when a search engine looks at them, they 'see' it change. Suddenly a website could appear, to Google at least, to have lots of content about, perhaps watches. Add a few links back to a dodgy watch supplier, and do this over tens of thousands of websites and the hackers will start getting better SEO, and more traffic.

Or the opposite can happen, the site can look the same to search engines, but have adverts and links all over it so that, over multiple sites, lots of users unknowingly click through to where the hackers want them to go.

Another example is where the hacker doesn't care about the website, but more the computer that it is on. They can use the computer's resources, or that of the end users, to mine crypto currency or perform tasks. Again, one website on one server is not enough, but millions is a valuable resource.

They can also be used as a gateway to perhaps distribute malware, giving users files that will be opened to infect their PCs, or using the server's resources to attack other websites.

With one example we saw a few years ago, the hackers just left a "you have been hacked" message, for no reason other than to hack more websites than a hacker competitor of theirs.

So, it's not necessarily about a hacker waking up and deciding to hack your website... more likely that yours is one of tens of thousands that is a small cog in a big machine.

How are they hacked?

So, the hacker doesn't need to hack one website, but needs to hack tens or hundreds of thousands, or sometimes millions, to make it worthwhile. So how?

Well, they need to find a common vulnerability, one found all over the web, and write a tool to exploit it.

Now, there are lots of ways that this can be done, but one way is simple because the answers are given straight to the hackers.

There are lots of open-source platforms around, and without wanting to target specific examples, WordPress, Magento and Joomla are common targets as they are so widely used. Being open-source simply means that the source code that makes up the platform is available for everyone to see.

As it's open-source, various agencies are able to write and sell plugins or extensions to these platforms, which is one of the huge benefits of a platform being open-source. Of course, crucially, these plugins and extensions are also open-source, and so everyone, including the hacker, can see their source code.

Let's now assume I had written a plugin for WordPress, published it, and had 250,000 downloads. I then notice a bug in my code that means it can be exploited by hackers, so I quickly fix the issue, and upload it for everyone to download. Great, yeah? Well, not really, because the hackers can also see my old code, my newly uploaded code, and automatically compare the two to see where the vulnerability was. Now, here's the best bit (for the hackers anyway), if they check for updates every day, they are likely to see the fix, and therefore vulnerability before most of my 250,000 customers! It's a bit like a supermarket putting out a warning on their PA system "attention, there is a red Ferrari by the cash machine with the keys inside, can the owner please remove them before someone else drives the car away" - see the issue?

So, all a hacker needs to do is check multiple plugins for updates, and once one is found that patches a juicy vulnerability, they find a way of detecting which websites run the plugins, and deploying a hack automatically, and hey presto, thousands or millions of websites hacked at once. And the hacker won't know who they have hacked, or even necessarily care.

The detection part of this is fairly simple, get list of websites and it's easy to check what platform they are on, and what plugins are used, all with versions. In fact www.wp-sec.com does this for WordPress, and www.magereport.com for Magento, and these even provide links as to the vulnerabilities and, if your a techie, how to exploit them.

There are of course lots of ways of hacking a website, especially if it's a targeted attack, and that's why we offer a security audit of websites, including a penetration test to highlight vulnerabilities. We can of course lock fix them and help lock down your website.

Who gets hacked?

So, targeted hacks aside, it isn't necessarily any particular type of business that gets hacked, but more websites that are on open-source platforms, especially those who have lots of plugins or extensions.

And, by not keeping the platform and extensions/plugins constantly updated, websites are far more likely to be attacked.

So, what can be done to stop it?

It's fairly simple really, keep everything up to date!

Ideally websites should be updated daily, but that of course incurs a lot of fees from web agencies such as ourselves. Clients can update plugins and extensions themselves, or even set them to auto-update, which sounds great in theory, but often causes things to break because plugins and extensions do not necessarily 'play nice' with each other. There's a sweet spot between costs and update frequency. Whether that is daily, weekly, monthly or less frequently depends on a lot of factors.

It is however, always a race between website owners and web agencies updating code, and hackers trying to get in. Unfortunately, website owners need to win every time, and hackers only once.

There are plugins and firewalls designed to help, for example WordFence for WordPress, and they usually do a good in helping to prevent a compromise. They are certainly worth installing, but there are two drawbacks. Firstly, a paid-for version is usually required for security against any brand-new attacks because the data is often deliberately kept out of free versions for a month (that's how they make their money). Secondly, even the paid for ones aren't instant and don't detect everything straight away. There's a lot more to it than this, for example the developers who make the security plugins may let developers know that their plugin is vulnerable, but the point is it’s all a big race between the good guys updating their websites, developers of security software trying to help, and hackers trying to get in!

Unfortunately, the hackers sometimes win the race. Given the number of websites and vulnerabilities, it's just a matter of time before they skip through the net.

So, in order to stop it, website owners should speak to a website security expert to see how vulnerable they are likely to be, perhaps make some initial changes to help secure the website, get some security software (or plugin/extension) and most importantly, keep their website up to date as much is viable.

It isn't perfect, but who is more likely to get burgled; someone with a full security system, or their neighbour who leaves their door unlocked and windows wide open all day every day?

It's worth mentioning backups, they are also important, but we'll get to that...

This approach will work the vast majority of the time and be suitable for most who are just worried about automated attacks. Those with extra security requirements, who hold sensitive data, or may be subject to something targeted should really talk to an expert.

What to do if you get hacked

First of all, don't panic and rush in to a quick fix! You could easily make it worse.

If, for example, you server deletes logs or any dodgy code/files you will likely make it harder for developers to investigate; we like to see what damage has been done and get clues as to how they got in!

De-hacking a website is a job for a professional, and it has to be done thoroughly. If anything is missed, you may need to start from the beginning. Get it fixed properly, or not at all.

If you have regular backups, it will be a great help as your web agency has something to compare the compromised code with, so have more confidence in finding anything troublesome. It also means they can potentially just fix the vulnerabilities and not have to worry so much about a back door being put in (lots of ifs and buts here).

Because every case is different, it's hard to say what exactly your web agency will do, and we don't want to give away our secrets, but a very simple explanation would be:

1. Use server logs, update/version history, automated and manual scans, and the malicious code itself to find out how the attacker gained access, and locate any other vulnerabilities.

2. Prioritise vulnerabilities, and fix all of those past a certain threshold of what you and the client deem appropriate. This is always a debate between cost and likelihood of success, and here you could easily cut corners and have to start over, or spend lots of money fixing something that's very unlikely to ever be abused.

3. Upload the changes, and resecure everything. This may be a case of simply changing usernames and passwords, but with deeper hacks can often be migration to a fresh, updated, secure server. Now is also a great time to declutter unused plugins/extensions, implement protocols such as 2FA.

When we are doing this for a new client, where we didn't build their original site, we have found that during this process we often find that corners may have been cut, or things could have been optimised better, and report this back to the client. One example, was where highly sensitive images were bundled in with others, and not kept secure. In this particular case the client took our advice and we restructured this part of their system. So, it’s certainly a good house-keeping exercise as the website is scrutinised.

Is it a big job to fix?

As you can imagine that varies, but likely not in the way you’d expect.

It’s not usually the severity of the hack that gives the variation, but more the state of the underlying system, and getting complexity in getting it all up to date.

Usually when we are contacted to resolve a hacked website it isn’t because the components are slightly out of date, but because the system has been left unmaintained for years and has lots of ‘technical debt’ to overcome. All of this has to be rectified in order to resecure the website, and sometimes components have become obsolete, or replaced, and so we open up a can of worms.

Also, if we have full server access our hands aren’t as tied, and decent backups make things a whole lot easier.

We can never guarantee a fix, but so far have a 100% success rate for those we have tried – not bad!

We obviously cannot fix a cost until we know what the issues are, but our estimates are usually accurate because, as I mentioned, it’s not necessarily based on the hack itself, but the state of the system, as a whole.

It’s worth adding that hacks will not go away. There is no use patching the issue as it’ll come back to bite you, and as more time passes you may find the hackers get in to the system deeper, logs (evidence) are replaced, and backups are overwritten. Ignoring the issue will, in the vast majority of cases, result in a much bigger problem, and much larger bill!